Efficient Cryptographic Protocols: Secure Two-Party Computation and Refereed Delegation of Computation

Transcription

1 The Raymond and Beverly Sackler Faculty of Exact Sciences The Blavatnik School of Computer Science Efficient Cryptographic Protocols: Secure Two-Party Computation and Refereed Delegation of Computation Thesis submitted for the degree of Doctor of Philosophy by Ben Riva This work was carried out under the supervision of Professor Ran Canetti Submitted to the Senate of Tel Aviv University November 2013

2 c 2013 Copyright by Ben Riva All Rights Reserved

3 Acknowledgements First and foremost, I wish to thank my advisor, Ran Canetti, for his endless encouragement during my studies. Ran provided me the guidance and assistance I needed, always with patience and vast knowledge. Most of all, he motivated me to follow my research interests, even when they did not align with his :). Graduate studies have their ups and downs, and I would not have made it to the end without Ran s consistent support. Thank you Ran! I thank Amnon Ta-Shma and Alon Rosen, with whom I had the pleasure of collaborating on the design and implementation of the Wombat electronic voting system. Thanks as well to the rest of the Wombat team for taking this project from the ideal world to the real one. In 2011 I was fortunate to be invited to an internship at Microsoft Research. This turned into an important milestone in my research as it helped me shift my focus to secure computation. I want to thank Seny Kamara and Kristin Lauter for inviting me to join their group and for the unique and pleasant experience this afforded. Seny was a wonderful host and gave me valuable advice on practicing applied research. During the time at Microsoft Research I also collaborated with Payman Mohassel who became my co-author in several papers. I thank him for the fruitful and enjoyable joint work. Special thanks to Benny Pinkas, my informal host for half a year in NYC. Discussions with Benny were always enlightening, and greatly broadened my perspective on security research. I am also thankful to Yehuda Lindell and Yuval Ishai for their valuable advice along the way. Thanks as well to my other co-authors: Guy N. Rothblum, Jonathan Ben-Nun, Niko Fahri, Morgan Llewellyn, Douglas Wikström and Arash Afshar. Last, but definitely not least, I would like to thank my family. Warm thanks to my parents, Yechiel and Magi, and to my brother Shai and sister Bar for always being a significant part of my life. A final thanks to my wife Alina, for her love and friendship, and for allowing me to choose my path knowing that I always have her support; this thesis is dedicated to Alina and our daughter Hadas. My research was in part funded by the Check Point Institute for Information Security.

4

5 Abstract This thesis is about efficient cryptographic protocols for two fundamental problems: Secure Two-Party Computation and Verifiable Delegation of Computation. Even though solutions to both problems exist, their concrete efficiency is not satisfactory and other, more efficient solutions are needed for solving these problems for real-world applications. Secure Two-Party Computation. We present two contributions in this topic. First, we consider a variant of secure two-party computation called Non-Interactive Secure Computation (NISC), in which the players are allowed to have only one-round of interaction (i.e. two messages). We present several protocols that work in the NISC setting, and the first prototype implementation of a NISC protocol. Second, we show how to significantly reduce the overheads of previous secure two-party computation protocols based on the cut-and-choose method of Lindell and Pinkas (Eurocrypt, 2007). Verifiable Delegation of Computation. We suggest a new model called Refereed Delegation of Computation (RDoC), in which a client delegates its computation to several servers and is able to learn the correct output of its computation if there is (at least) one honest server. We present two efficient protocols that are secure in the RDoC model. The first does not require any computational assumptions and allows the client to delegate any L-uniform circuit, requiring the client to work in time n poly(d,log(s)), where d and S are the depth and size (respectively) of the circuit that computes the language, and n is the input length. This protocol requires only a single round of interaction between the client and each server. The second protocol is more practical and generic, works with any reasonable computational model, and specifically does not require an expensive translation of a computation to a boolean circuit. We prove its flexibility by adapting it to work directly with the X86 architecture, provide a prototype implementation of the protocol and evaluate its practicality on live clouds.

6

7 Contents 1 Introduction Secure Two-Party Computation (2PC) Our Contribution Verifiable Delegation of Computation Our Contribution Other Results Background on 2PC Notations Sets and Strings Security Parameters and Basic Cryptographic Primitives Boolean Circuits Definitions Ensembles Indistinguishability Security of 2PC in the Presence of Malicious Players Universal Composability (UC) PC Using Garbled Circuits and Oblivious Transfer Garbled Circuit Oblivious Transfer PC with Semi-Honest Players PC with Malicious Players Based on the Cut-and-Choose Method Non-Interactive Secure Computation Based on Cut-and-Choose Introduction Our Contribution in More Detail A High Level Description of Our Main Protocol Other Related Work

8 3.2 The MS-NISC Notion On Malleability and Communication Channels Discussion: Using The First Message Many Times An OS-NISC/MS-NISC Protocol based on DDH The Protocol Proof of Security On the CRS Reducing the Communication Overhead Evaluation Implementation Results Other Constructions Security Against Covert Adversaries without Input Consistency Checks Based on [MF06, LP07] Based on the Random Oracle Model Remaining Open Questions Fully-Secure 2PC Based on Cut-and-Choose with Low Overhead Introduction Preliminaries An Efficient 2PC with Full Security The Protocol Proof of Security Handling Two-Output Functions Refereed Delegation of Computation (RDoC) Related Work The RDoC Model Parallel Repetition for RDoC From Two Servers to N Servers Statistically-Sound One-Round RDoC Protocol for L-uniform Circuits Introduction Preliminaries

9 6.2.1 Low Degree Extension The Protocol of [GKR08] The Protocol of [FK97] A One-round RDoC Protocol for L-uniform Circuits The Protocol, Given a Circuit Specification Oracle Realizing the Oracle for L-uniform Circuits A Computationally-Sound RDoC Protocol for P Introduction An Efficient Protocol for P Preliminaries: Merkle Hash Tree Reduced Turing Machine Configuration The Protocol Extensions Quin: Adaptation and Implementation of Our Protocol for X The Difficulties and Design Choices Adaptation of the Protocol for X System Architecture Evaluation Restrictions and Further Improvements Conclusion 106 Appendices 106 A The Protocol of [FK97] 107 Bibliography 110

10

11 1 Introduction In theory, theory and practice are the same. In practice, they are not. While the literature of Foundations of Cryptography is full of beautiful protocols that can be used for a countless number of applications, many of those protocols are not efficient enough for real-world purposes. This thesis is concerned with constructing more efficient cryptographic protocols. Specifically, we focus on two fundamental tasks: Secure Two-Party Computation and Verifiable Delegation of Computation. Both can be carried out securely using existing cryptographic techniques, but the concrete efficiency of those constructions is still unsatisfactory for many applications. In what follows, we describe these problems in more detail and present our contributions. 1.1 Secure Two-Party Computation (2PC) Informally, a secure two-party computation protocol (2PC) for a known function f (, ) is a protocol between Alice and Bob, with private inputs x and y (respectively), that satisfies the following two requirements: (1) Correctness: If at least one of the players is honest then the result should be the correct output of f (x,y); 1 (2) Privacy: No player learns any information about the other player s input, except for the function output. Security is defined with respect to an adversary who is semi-honest if the corrupted player always follows the protocol, or is malicious if the corrupted player can arbitrarily deviate from the protocol specification. (Throughout this thesis we define security of 2PC using the ideal/real paradigm which compares the real execution of the protocol with a simulated one in an ideal world that is secure by definition. See more details in Section 2.) Semi-honest 2PC. [Yao86] and [GMW87] presented the first 2PC protocols in the presence of semihonest players. A major difference between the two protocols is that the former requires only a small (constant) number of rounds while the later requires a number of rounds that depends on the depth of 1 Of course, we consider here only the case that the protocol ended successfully. If this is not the case, then the output is, denoting a failure. E.g., if one of the players does not participate at all in the protocol, or, caught cheating by the honest player. 1

12 the circuit being computed (i.e. the circuit that computes the function of interest). The number of rounds becomes very significant when one wants to use 2PC in practice. In the following we concentrate on the protocol of [Yao86]. The protocol of [Yao86] is based on two ingredients: an oblivious transfer (OT) protocol and a garbled circuit. In an OT protocol, Bob has an input bit b and Alice has two input strings x 0,x 1. At the end of the protocol, Bob learns x b while Alice learns nothing. Such a protocol can be efficiently constructed from a variety of assumptions, whereas the most efficient constructions in practice require only a small number of exponentiations (in a large finite field) per OT. 2 We proceed to the second ingredient, the garbled circuit. Let C be a boolean circuit. Intuitively, Alice represents each wire of C using two random labels, one for the case the value of this wire is zero and one for the case it is one. Then, for each gate of C, she computes a translation table between the labels of the gate inputs to the labels of its outputs. The set of all translation tables forms the garbled circuit of C. The magic guarantee of the garbling is that given a translation table for a gate g(, ) and two labels l 0,l 1 that correspond to the bits b 0 and b 1, anyone can compute the label that corresponds to the bit g(b 0,b 1 ) without learning anything else (and especially not b 0,b 1 or g(b 0,b 1 )). The same guarantee holds for the entire garbled circuit as well (i.e., given a garbled circuit and a set of labels that correspond to specific input x, one can compute the labels that correspond to C(x) without learning any other information about x). Given an OT protocol and a scheme for garbling a boolean circuit, constructing a 2PC protocol is straightforward: Let C be a boolean circuit that computes f (x, y). Alice prepares a garbled circuit of C and sends it to Bob. She also sends him the labels that correspond to her input x, and the translation of the labels of the output-wires to their actual values. Then, Bob learns the labels that correspond to his input y using y invocations of an OT protocol, where in the ith OT, Bob inputs the ith bit of y and Alice inputs the two labels of that input wire. Bob evaluates the garbled circuit and learns C(x, y) using the information he received and sends the output to Alice. The resulting protocol is fairly efficient since garbling (and evaluating) each gate can be done using a constant number of symmetric-key encryptions (e.g., [LP09]). Furthermore, recent results show how to improve both the computation and communication cost of the garbling process (e.g., getting XOR gates for free [KS08], reducing communication [PSSW09], and designing tailored circuits [HEKM11]). Fully-secure 2PC. The case of malicious players is more complicated. A corrupted Alice, for example, could send a garbled circuit that computes a function f that is different from f, or use OT inputs that are 2 An OT extension protocol (e.g., [IKNP03, NNOB12]) allows one to efficiently extend a small number of OTs to n OTs with the price of only O(n) invocations of a hash function. In this work we refer to the pure OTs as OTs, and mention explicitly whenever an OT extension is being used. 2

13 not consistent with the input-wire labels of the garbled circuit. A classic solution for the case of malicious players is to force the players to behave semi-honestly by employing generic zero-knowledge proofs (ZKP) [GMW91]. Unfortunately, the proofs in this case are rather inefficient. [JS07, NO09] show alternatives that do not require generic ZKP but do require a constant number of exponentiations per gate, making them inefficient for large circuits. [IKO + 11] presents a constant-round 2PC that is asymptotically highly efficient, but the constant factors seem to be significant and we are not aware of any working implementation that evaluates its efficiency in practice. 3 An alternative direction for constructing 2PC protocols in the presence of malicious players is based on using the cut-and-choose method of [LP07] for checking the garbled circuit. 4 (E.g., see implementations by [PSSW09, SS11, KSS12].) Instead of sending only one (and possibly not properly constructed) garbled circuit, Alice sends t garbled circuits. Then, Bob asks her to open a constant fraction of them. For those circuits, Alice sends all the randomness she used in the garbling process (i.e., the wire labels). Bob can check that the opened circuits were indeed correctly garbled. If that is not the case, Bob knows that Alice has cheated and aborts. Otherwise, Bob evaluates the remaining garbled circuits and computes the majority output. It is shown in [LP11, SS11] that with high probability (that depends on t, roughly t ) the majority of the remaining garbled circuits are properly constructed, and thus the majority output is the correct one. However, the above cut-and-choose methodology is not sufficient to obtain a fully-secure 2PC. There are two issues to resolve: (1) Garbler s input consistency: Since Bob evaluates many circuits, he needs assurance that Alice uses the same input in all of them; (2) Evaluator s input consistency: Alice can use different input labels in the OTs and in the creation of the garbled circuits, in such a way that reveals Bob s input. (E.g., she can use invalid labels for the input bit 0 in the OT, but valid ones for 1, causing Bob to abort if his input bit is 0.) An additional issue, which we later call Output Validation, is how can Bob prove to Alice that the output he sends her is the right one. (Recall that in the semi-honest setting, Bob follows the protocol and therefore sends the right output.) When addressing the above issues, the dominant efficiency factors are both the number and the type of additional cryptographic operations required. By expensive operations, we refer to cryptographic primitives that require exponentiations (e.g. oblivious transfer, or public-key encryption), and by inexpensive operations we mean the use of primitives that do not require exponentiations (e.g. symmetric-key encryption, commitments, or hashing). The ratio between the costs in practice of the two types ranges from 3 The protocol combines several techniques that are very efficient asymptotically, such as scalable MPC [DIK10] and using expanders in a non black-box way, where each of these techniques seems to have its own fairly large constants. 4 Historically, using cut-and-choose for checking the garbled circuit was done before [LP07], e.g., in [Pin03, MNPS04, MF06]. Still, [LP07] gave the first rigorous treatment of this approach, and therefore we refer to it as the method of [LP07]. 3

14 a few thousands to tens of thousands. Previous solutions to the above issues (see Section 2.3.4) require either O(t 2 ) inexpensive operations per input/output bit (e.g., [MF06, LP07]) or O(t) expensive ones (e.g., [MF06, LP11, SS11]). These mechanisms can lead to significant overhead. Recall that garbling of a single gate requires a constant number of symmetric encryptions, where the constant is 4 in most implementations. Thus, e.g. for t = 130, the price of checking consistency for a single input bit is roughly equivalent to the price of garbling several tens of additional gates in each circuit in the first method, and even more in the second. Moreover, the first method has a large communication overhead (e.g., for input size n = 500 and t = 130, it requires several millions of commitments, with a total communication overhead of hundreds of megabytes). Non-Interactive Secure Computation. A major drawback of most fully-secure 2PC protocols is that they require several rounds of interaction (e.g., [LP07, LP11] with a constant number of rounds, or [NNOB12] with a number of rounds that depends on the function). A more powerful variant of 2PC is non-interactive secure computation (NISC) in which only a single round of interaction is needed. We consider three flavors of NISC. In the first, which we refer to by One-Sender NISC (OS-NISC), there are only two parties, a receiver (Bob) and a sender (Alice). The receiver sends the first message, the sender replies with the second message, and then the receiver outputs the result of the computation. This is essentially a 2PC with the additional restriction of having only one round of interaction. The second flavor of NISC, which we call Multi-Sender NISC (MS-NISC), is an extension of OS- NISC where the first message can be used for running secure computations with many different senders. I.e., the receiver broadcasts its first (single) message. Each party that wants to participate in the secure computation with the receiver sends a message back to the receiver. Then, after receiving second messages from several (possibly different) senders, the receiver outputs the results of the different computations with all servers (or uses these outputs in other protocols). We stress that each sender does not trust other senders, nor the receiver, and wishes to maintain privacy of its input even if everyone else colludes. A limitation of MS-NISC is that the receiver has to aggregate and output all the secure computation results together. The last flavor of NISC, which we call Adaptive MS-NISC, does not have this limitation. Adaptive MS-NISC is essentially like MS-NISC, except that the receiver outputs each of the secure computation results as soon as it gets it (thus, allowing the adversary to pick its next inputs based on those results). A NISC protocol (for all three flavors) for general computation can be constructed from Yao s garbled circuit, non-interactive ZKP, and fully-secure one-round oblivious transfer as follows: Bob sends the first message of the OT protocol. Alice returns a garbled circuit, the second message of the OT protocol, and a ZKP that her other answers are correct. (See, for example, [CCKM00, HK07] for such OS-NISC 4

15 protocols.) Unfortunately, this ZKP requires a non black-box use of cryptographic primitives (namely, it must prove the correctness of each encryption in each gate of the circuit) which makes the ZKP inefficient. Efficient NISC protocols that do not require such non black-box use of crypto primitives are presented in [IKO + 11] based on the MPC-in-the-head technique of [IPS08]. 5 The complexity of the OS-NISC protocol of [IKO + 11] is C poly(log( C ),log(t))+depth(c) poly(log( C ),t) invocations of a Pseudo- Random Generator (PRG), where C is a boolean circuit that computes the function f (, ), and t is a statistical security parameter. (Another protocol presented in that work uses only O( C ) PRG invocations, but is based on a relaxed security definition.) [IKO + 11] also shows an adaptive MS-NISC protocol for a bounded number of corrupted senders. The complexity of that protocol is O((t + Q) C ) PRG invocations, where Q is the bound on the number of corrupted senders. As noted earlier, although the protocols of [IKO + 11] are very efficient asymptotically, their practicality is unclear and left as an open question in [IKO + 11] Our Contribution Non-Interactive Secure Computation Based on Cut-and-Choose. We focus on OS-NISC and MS- NISC and present a new OS-NISC/MS-NISC protocol that we believe is conceptually simpler and is more practical than previous ones. This protocol is based on the cut-and-choose method and is in the Common Reference String (CRS) model, which is essential for the one-round OT protocol of [PVW08] that we use. We then describe an implementation of our NISC protocol and an efficiency evaluation of it, to examine its practicality. The results show that its performance is comparable with that of the most efficient current implementations of (multi-round) 2PC protocols based on cut-and-choose. In addition to our main protocol, we show how to reduce its communication significantly using an adaptation of a method of [GMS08] to the NISC setting, and briefly describe several other NISC protocols with different tradeoffs. These results are described in Chapter 3 and parts of them appear in [AMPR14]. Fully-Secure 2PC Based on Cut-and-Choose with Low Overhead. We propose new and efficient solutions for the above three issues of the cut-and-choose method that asymptotically and concretely improve on all previous solutions. (See Section for a description of previous solutions.) First, we show how to use garbled XOR-gates to efficiently enforce the garbler s input consistency, 5 Loosely speaking, in MPC-in-the-head protocols, the protocol emulates a multi-party computation protocol (MPC), in the head, and commits to the view of each of the players during the MPC execution. Later, in order to check the correctness of the MPC output, the views of a random subset of the players are revealed, and everyone can verify that the MPC was executed correctly. The soundness of the MPC assures that its output is indeed the right one. 5

16 while requiring only O(t n 1 ) inexpensive operations, where n 1 is the garbler s input length. This approach asymptotically improves the solutions in [MF06, LP07], and only requires inexpensive operations in contrast to the solution of [SS11]. Second, we observe that a solution of [LP07] to the evaluator s input consistency issue can be improved by combining it with the OT extension of [NNOB12] and the Free-XOR technique of [KS08]. The resulting protocol requires only O(t max(4n 2,8t)) inexpensive operations, where n 2 is the evaluator s input length. Third, we show how to use garbled identity-gates to efficiently solve the output validation problem, while requiring only O(t q 1 ) inexpensive operations, where q 1 is the garbler s output length, improving on the recent construction of [SS11] which requires the same number of expensive operations. To summarize, the (amortized) cost per input/output wire in the resulting protocol is only a constant number of inexpensive operations per wire per garbled circuit, making it more efficient than all previous constructions based on the cut-and-choose method [MF06, LP07, LP11, SS11] (except for [Woo07], which is impractical due to large constants). We stress that the efficiency of our techniques relies on the efficient OT extension of [NNOB12]. That protocol is analyzed in the Random Oracle Model (ROM) and our construction inherits the same weakness. (Besides using ROM for the OT-extension of [NNOB12], in some of our techniques we show two alternatives: A more efficient instantiation in the ROM, and one without the ROM abstraction, which is still more efficient than current techniques.) We remark that our proposed solutions can be modified to work with any of the existing garbledcircuit optimization techniques of [KS08, GMS08, PSSW09, HEKM11, KSS12]. These results are described in Chapter 4 and appear in [MR13]. 1.2 Verifiable Delegation of Computation An emerging paradigm in modern computing is pay-per-use Cloud Computing, where individuals and companies outsource computations to companies that perform them on dedicated servers. This motivates exploring methods for delegating computations reliably, while maintaining the efficiency gains: A weak client delegates his computation to a powerful server; once the server returns the result of the computation, the client should be able to verify the correctness of that result so that (1) The client uses considerably less resources than those required to actually perform the computation from scratch, and (2) The server does not use significantly more resources than those needed for performing the computation. A classic solution to this problem is to have the server prove correctness of the computation using a Universal Argument [Kil92, BG08]. Here the server incurs a polynomial overhead and the client s complexity is linear in the input length and security parameter, and only polylogarithmic in the complexity 6

17 of the original computation. This solution is general and applicable to any problem in P. However, a major drawback of the above protocols is their use of Probabilistically Checkable Proofs (PCP) [AS98]. Although PCP constructions are very efficient by means of asymptotic complexity, their true practicality is unclear due to the actual constants involved. (See [SMBW12, SVP + 12, SBV + 13, BSCG + 13] for recent evaluations of verifiable delegation of computation using PCPs.) [GGP10, CKV10, AIK10] construct computationally sound protocols, where in an offline stage the client runs in time that is proportional to the size of the computation. Afterwards, in an online stage, the client (using the secret result of the offline stage) runs in time proportional to the size of its inputs and the computation results. In these works, as long as the client does not encounter cheating provers, the same pre-processing information can be used in multiple rounds, yielding improved amortized complexity. These protocols are based on the existence of a Fully Homomorphic Encryption (FHE), which is currently also far from being practical (e.g., see [GHS12] for efficiency of state-of-the-art FHE). All the above protocols, including the two-message ones, have only computational soundness. In fact, no statistically-sound protocol with a constant number of rounds is known. An alternative delegation protocol, proposed by [GKR08], guarantees statistical soundness. However, the protocol works only for languages that have L-uniform circuits. 6 Furthermore, the number of rounds is quasilinear in the depth of the circuit. For small depth circuits, this protocol can be transformed, using the technique of [KR09], into a one-round protocol assuming the existence of a computational Private Information Retrieval scheme with polylogarithmic communication. Here, however, soundness is only computational Our Contribution The Refereed Delegation of Computation (RDoC) Model. We present a natural setting, where the client interacts with several servers. Indeed, this relaxation allows some very simple solutions: If one is willing to interact with three or more servers and to assume that a majority of the servers are honest, then it suffices to simply ask each server for the answer and take the majority answer. 7 If we assume there is only one honest server, the client can still detect inconsistency between the answers, and in case of one, he has to compute the function by himself. But can one do better? In particular, can we get efficiency improvements over the single server case, with access to two (or more) servers, only one of which is honest, and for a client that can not compute the function by himself? Below we provide a positive answer to this question. Specifically, we are interested in the following model: The client asks for the result of f (x) from two (or more) servers. In case they make contradictory 6 A circuit family {C n }, where C n works with inputs of length n, is L-uniform if there exists a Turing Machine that given an input 1 n, runs in log-space and outputs the circuit C n. 7 Indeed, this approach is used in Grid Computing, e.g., BOINC [Boi11]. 7

18 claims about f (x), the client engages in a protocol with each of the servers, at the end of which the client can efficiently determine the true claim, as long as there is at least one honest server. As for efficiency, we require that the computational requirements from an honest server are not much more than those required to compute the function in the first place, and that the client s running time is much smaller than the time required to compute the function. We call this model Refereed Delegation of Computation (RDoC) since the client acts like a referee. A closely related model to ours is the Refereed Games (RG) model of Feige and Kilian [FK97] where they focus on two unbounded competing servers and polynomial time referee. However, we are faced with the additional challenges of building protocols with efficient honest servers, with super-efficient client and for any number of servers. Indeed, our model can be considered also as refereed games with efficient servers and super-efficient clients. These results are described in Chapter 5 and appear in [CRR11, CRR12]. A Statistically-Sound One-Round RDoC Protocol for L-uniform NC Circuits. We present a statistically-sound protocol for L-uniform circuit families that requires only a single round of interaction, i.e., one message from the client to the servers and one message from each of the servers to the client. Recall that there is no known statistically-sound protocol for the model with only one server, even with a constant number of rounds. Our protocol adapts techniques from a protocol of [FK97], where the servers are inefficient even for log-space computations, together with techniques from the work of [GKR08], and some new ideas that take advantage of low-degree multi-variate polynomials. The servers work grows polynomially with the complexity of the computation and the client s work is only n poly(d,log(s)), where d and S are the depth and size of the circuit being evaluated, and n is the input length. These results are described in Chapter 6 and appear in [CRR12]. A Computationally Sound RDoC Protocol for P. We show a full-information RDoC protocol for any efficiently computable function, with logarithmically (in the size of the computation) many rounds, based on any collision-resistant hash function family. Here, by full information we mean that the servers can see the full internal state of the client and the communication between the client and the servers is public. We believe that this protocol is more practical than known techniques for delegating computation in the single-server setting. We note that, while the asymptotic complexity of our protocol is similar to that of the PCP-based protocols (namely, servers work grows only quasi-linearly with the complexity of the computation), for realistic parameters the proposed protocol is more efficient by several orders of magnitude, even compared to the best current implementations of PCPs. In addition, most previous protocols work with an (arguably less practical) circuit representation of the computation, whereas our 8

19 protocol seems to be more flexible to changes in the computation model (and in particular is more amenable to real-world computation models). The property of full-information means that, in a setting where messages between clients and servers are digitally signed, the protocol guarantees that as soon as a server cheats, the client detects the cheating and obtains a publicly verifiable proof of this fact. This is a strong guarantee: we view the servers as rational self-interested parties (say cloud computing service providers). An honest server can convince even third parties that all of the cheating servers are cheaters. Assuming that pointing out cheaters is rewarded and cheating is penalized, playing honestly becomes (always) a dominant strategy for rational servers. Furthermore, the protocol guarantees that in case all servers agree upon the result, there are no overheads for the servers, nor for the client. The overhead kicks in only in case the servers do not agree. In this case, the overhead is only poly-logarithmic in the size of the computation. To evaluate the practicality of the protocol, we adapt it for the X86 computation model. A simplistic adaptation would be to simply run a Turing Machine simulator for X86, but this would result in highly inefficient code. Instead, we adapt the protocol to the X86 computation model: Instead of Turing Machine transitions we have assembly instructions, and instead of working tapes we have the machine s stack and heap memories. This highly improves the practicality of the protocol and demonstrates its flexibility. We present a prototype implementation of this adaptation for the Windows environment. Our implementation, which we call Quin 8, works directly with X86 assembly instructions. However, we do not require the programmer to write his code in assembly. The programmer can write his code in C language and later on build the program to run with our framework. This is an important feature since it makes the implementation almost transparent for the application programmer. Moreover, with small modifications to our prototype, it allows future support for other languages that compile to X86 assembly. We experiment with this prototype on live cloud servers and show that the overhead is almost reasonable for real-world applications. For some parameters we get a slowdown factor of only 8, compared to the original application. These results are described in Chapter 7 and appear in [CRR11]. 1.3 Other Results Before proceeding, I would like to mention that during my Ph.D. studies I have also published the following results, which are not included in this thesis: 8 Latin word for indeed. 9

20 In [BNFL + 12] we design and implement a cryptographic protocol for Electronic Voting called Wombat, and report on two real-world elections that Wombat was used in. In [KMR12] we show how a set of players can use a (potentially malicious) third-party, e.g. a cloud server, to offload some of the overhead of running secure multi-party computation. We present new optimized protocols and evaluate their efficiency in practice. In [CRR12] we present how to extend the verifiable delegation of computation protocol of [GKR08] to more than L-uniform computations, by adding an offline stage (and assuming a standard computational hardness assumption) following the model of [GGP10, CKV10, AIK10], but without requiring the client to have a secret state as required in previous works. In [MR13] we introduce a new security notion that strengthens the notion of security in the presence of covert adversaries of [AL10]. We also present two protocols that are secure according to the new notion. 10

21 2 Background on 2PC In this chapter, we present notations and definitions that will be used in Chapters 3 and 4, and describe previous techniques for constructing fully-secure 2PC based on the cut-and-choose method of [LP07]. 2.1 Notations Sets and Strings [k] is the set {1,...k} and S is the size of a set S. For a bit-string str, str is the length of str. Given two strings str 1 and str 2, str 1 str 2 is their concatenation Security Parameters and Basic Cryptographic Primitives Below we list the notations of the main cryptographic primitives we will use in the following chapters. See, for example, [KL08] for definitions and concrete instantiations of these primitives. s is a computational security parameter and t is a statistical security parameter. The first models the security of the underlying computational assumption, while the second models a cheat that is not due to any computational hardness. We will be mostly interested in concrete values of t, and then we require that security breaks with probability at most 2 ct, where 0 < c 1 is a known constant. s is implicitly used in all the cryptographic primitives we use. Enc(k,m) is a symmetric encryption of message m using key k. Commit(m,r) is a commitment on message m using randomness r. PRG(seed) is a pseudo-random generator that given a seed seed outputs a pseudo-random string. PRF seed (m) is a pseudo-random function that given the (secret) seed seed and (possibly publicly known) message m, outputs a pseudo-random string. Hash( ) is a cryptographic collision-resistant hash function. 11

22 REHash( ) is a collision-resistant hash function that is a suitable randomness extractor (e.g., see [DGH + 04]). Given a group G in which the discrete logarithm assumption holds, and two generators g,h G, let PCommit(b,r) = g b h r [Ped92]. We will use two properties of this function: (1) Without knowing log g (h), the function is a perfectly-hiding, computationally-binding commitment to b; (2) A player who commits to the same b twice using PCommit(b,r),PCommit(b,r ) can efficiently prove that it committed to the same b without revealing the actual value. This is done simply by publishing r r. (Anyone can check if PCommit(b,r) = h r r PCommit(b,r ).) Boolean Circuits Let C(x,y) be a boolean circuit, where x is the input of P 1 and y is the input of P 2. We assume all C s wires have unique indexes. We denote by IN c (i) the set of indexes of P i s input, by n i the size of P i s input (i.e., n i = IN c (i) ) and let n = n 1 + n 2. Similarly, we denote by OUT c (i) the set of indexes of P i s output, by q i = OUT c (i) and by q = q 1 + q 2. Last, we use the abbreviations IN c = IN c (1) IN c (2) and OUT c = OUT c (1) OUT c (2). 2.2 Definitions Ensembles Indistinguishability The next definitions are based on definitions from [HL10] and [LP11]. Definition 1. Let X = {X(a,s)} a {0,1},s N and Y = {Y (a,s)} a {0,1},s N be distribution ensembles that range over strings of length polynomial in s. We say that X and Y are computationally indistinguishable (denoted X c Y ) if for every non-uniform polynomial-time distinguisher D, every polynomial p( ) and all large enough s N, it holds that for every a {0,1} Pr[D (X(a,s)) = 1] Pr[D (Y (a,s)) = 1] 1 p(s). s is a security parameter that models the security of the underlying computational assumption, while for secure computation a usually represents the players inputs in the protocol. Definition 2. Let X = {X(a,s,t)} a {0,1}, s,t N and Y = {Y (a,s,t)} a {0,1}, s,t N be distribution ensembles that range over strings of length polynomial in s+t. We say that X and Y are (s,t)-indistinguishable (denoted X c Y ) if there exists a constant 0 < c 1 such that for every non-uniform polynomial-time 12

23 distinguisher D, every t N, every polynomial p( ) and all large enough s N, it holds that for every Pr[D (X(a,s,t)) = 1] Pr[D (Y (a,s,t)) = 1] 1 p(s) c t. a {0,1} The difference here from Definition 1 is the additional statistical security parameter t. This statistical security parameter models a probability of cheating that is not due to any computational hardness. (Note that security is required to hold for all t and all large enough s.) Indeed, one can take t = s and work with Definition 1. But, when considering concrete efficiency of cut-and-choose protocols, separating the two security parameters gives a more accurate treatment of the cheating probability Security of 2PC in the Presence of Malicious Players Here we define security using the ideal/real paradigm in the standalone setting. In a nutshell, we compare what can the adversary do in the real execution with what it can do in an ideal world that is secure by definition. Denote the players by P 1,P 2, let f : {0,1} {0,1} {0,1} {0,1} be a two party functionality, where f = ( f 1, f 2 ), and π be a 2PC protocol. Execution in the real model. In the real model, the adversary A sends all the messages of the corrupted player, while the honest player follows the protocol instructions. Let A be a non-uniform polynomial-time adversary, and let i {1,2} be the index of the corrupted player. We denote by R E A L π,a(aux),i (x,y,s) the output pair of the honest player P 3 i and A in the execution of π on inputs x,y, security parameter s and auxiliary input aux. (Note that the corruption model we consider here is static, meaning that the index of the corrupted player is chosen for the adversary and not by adversary during the protocol execution.) Execution in the ideal model. In the ideal model, the players have access to a trusted third party (TTP) for the function f. The players send to the TTP their inputs x and y. The honest player sends its real input, while A can send any message on behalf of the corrupted player. Then, the TTP returns f i (x,y) to P i. Since in the real execution the adversary can abort the execution at any step of the protocol, possibly after learning some information that the other player did not learn, the TTP allows A to abort the execution in the ideal model as well. Specifically, the adversary can send an abort message instead of its input (and then the TTP would send abort messages to all players), or, send an abort message after receiving f i (x,y) from the TTP (where P i is the corrupted player), and before the TTP sends f 3 i (x,y) to the honest player P 3 i. (This models the scenario in the real execution in which the adversary learns the output of the function, and aborts before sending it to the other player.) 13

24 Let A be a non-uniform polynomial-time adversary, and let i {1,2} be the index of the corrupted player. We denote by I D E A L f,a(aux),i (x,y,s) the output pair of the honest player P 3 i and A in the ideal model on inputs x,y, security parameter s and auxiliary input aux. Definition 3. Let f and π as described above. Protocol π is said to securely compute f with abort in the presence of malicious adversaries if for every non-uniform probabilistic polynomial-time adversary A in the real model, there exists a non-uniform probabilistic polynomial-time adversary S for the ideal model, such that for every i {1,2} { I D E A L f,s(aux),i (x,y,s) } c { x,y,aux {0,1} R E A L, s N π,a(aux),i (x,y,s) } x,y,aux {0,1}, s N where x = y. In some cases we would like to model a setup phase in which the players do not interact with each other, and possibly do not even participate at all. E.g., a setup of a public-key infrastructure, or, a generation of a trusted hardware that is distributed to the players. Modeling a setup phase can usually be done by giving the players access to a functionality that emulates the result of the setup phase, both in the real-model and in the ideal-model. A specific example, which we use later, is the common random string functionality that produces a string with a uniform distribution from a publicly known domain. Once the string is chosen, all calls to the functionality return the same string Universal Composability (UC) A major drawback of the standalone ideal/real paradigm is that it only guarantees security for sequential composition. Security might break, for example, if a protocol is executed several times concurrently, even if it is proven to be secure for a single invocation. [Can01] presents a stronger security notion called UC-security which allows (among other things) any composition of UC-secure protocols. The main difference between proving security in the UC framework and proving security in the standalone ideal/real paradigm, is that in the former there is an additional external entity, called the environment Z, which interacts with the adversary during the execution of the protocol (as opposed to the distinguisher in the standalone setting, which only sees the outputs at the end). When a UC-secure protocol is composed with itself or with other protocols, the same environment interacts with the adversaries of all protocols. The main implication of having such an external environment is that the simulator cannot rewind the adversary, or else the environment will detect it (since the environment is external, and thus not rewound). Another implication is that the simulator 14

25 cannot use the adversary in a non black-box way, since the adversary s actions could be determined by the external environment, which the simulator has no access to. As in the standalone setting, we are interested in whether the environment can distinguish between a real execution of the protocol π in the real model, and a simulated execution in the ideal model in which the (dummy) parties interact with an ideal functionality F that represents the desired functionality (similarly to the trusted third-party in the standalone setting). The output of the environment in the real execution is captured by the binary distribution ensemble E X E C π,a,z, whereas the output of the environment in the ideal execution is captured by the binary distribution ensemble I D E A L F,S,Z. See [Can01] for a detailed description of the framework and the ensembles. We say that two binary distribution ensembles X(a,s) and Y (a,s) are indistinguishable, denoted X Y, if for any polynomial p( ) there exists s 0 N such that for all s > s 0 we have that Pr[X(a,s) = 1] Pr[Y (a,s) = 1] 1 p(s). Then, security is defined as following: Definition 4. Let F be an ideal functionality. A protocol is said to UC-realize F if for any adversary A, there exists a simulator S such that for all environments Z, E X E C π,a,z I D E A L F,S,Z. We say that a protocol π is an F-hybrid protocol if during the execution of π, players have access to the functionality F. (We also say in this case that π is executed in the F-hybrid model.) The universal composition theorem [Can01] shows that one can replace F with a protocol π F that UC-realizes F and maintain the security of the original protocol π. A corollary of this theorem is the following: Theorem 5. Let F be an ideal functionality. Let π be an F-hybrid protocol that UC-realizes an ideal functionality G, and let ρ be a protocol that UC-realizes F. Then protocol π ρ UC-realizes G. In order to distinguish between protocols and parties, each invocation of a protocol is identified by a unique session identifier (sid) and each party is identified by a unique party identifier (pid). We assume that all communication is authenticated, and that all parties have access to a common reference string. In the context of the UC framework, this is captured by working in the (F AUT H,F CRS )- hybrid model, as discussed, for example, in [Can01, CR03]. In addition, we make use of the Random Oracle abstraction, which can be captured by the F RO ideal functionality as specified in [HMQ04]. 15

26 2.3 2PC Using Garbled Circuits and Oblivious Transfer Garbled Circuit [Yao86] shows how to compile any boolean circuit C(x) to a garbled version of the circuit and all its wires. Given a garbled circuit and a set of garbled input wires for a specific input x, anyone can learn the value of C(x) but nothing else. See [LP09, BHR12] for examples of such garbling compilers. To give a flavor of how it is done, we now describe the basic steps of the compiler of [LP09]. The garbling of the circuit consists of the following steps: For each wire j, pick at random the labels k j 0,k j 1 of length l, representing the bits zero and one, and a random bit r j. For each gate g with input-wires u,v and output-wire w, for each c 0,c 1 {0,1}, compute the encryptions Enc(kc u 0 r u,enc(kv c 1 r v,kw c )) where c is the gate output, namely c = g(c 0 r u,c 1 r v ) r w. The set of these four encryptions is the garbled version of the gate g. For each output wire j, let the output translation table of that wire be (k j 0,0) and (k j 1,1). The garbled circuit is the set of all garbled gates of the gates of C and all its output translation tables. We require that the encryption in use has an elusive and efficiently verifiable range. This means that given an encryption Enc(k,m), the decryption algorithm fails (with high probability) when it is given a key that is different than k. (See [LP09] for more details.) Now, given a garbled circuit and a set of garbled input-wires, anyone can evaluate the garbled gates in a topological order. For each garbled gate, the evaluator tries to decrypt each of the four encryptions using the labels it possesses for the gate inputs, and with high probability only the one of them should be decrypted correctly. It proceeds with the evaluation until it gets the labels of all the output wires. Then, it uses the output translation tables to translate those labels to the actual output. [LP09] shows that the security of the encryption in use implies that one can generate a fake garbled circuit which always outputs C(x) (even when given labels that correspond to input x x) that is indistinguishable from a garbled circuit of C with the labels that correspond x. (This property is defined also by [BHR12] as a game in which the adversary chooses C and x and receives either (1) a garbled circuit of C and the labels of the input-wires that correspond to x, or (2) a fake garbled circuit that always outputs C(x) and a set of labels that correspond to a random input, and required to guess which is the case.) 16